Avatar
Czino // πŸ‘«πŸŒ±πŸ‘πŸˆπŸˆβ€β¬› 1y ago

Copy and pasting image URLs is super nice, but if your client automatically displays them, you might be at risk of leaking your IP and user agent πŸ‘‡

Reply to this note

Please Login to reply.

Discussion

Avatar
π–‹π–Žπ–†π–™π–‰π–Šπ–“π–Žπ–Šπ–— (Β―`◕‿◕´¯) 1y ago

Wait a second, how do you see this? πŸ‘€

Avatar
Czino // πŸ‘«πŸŒ±πŸ‘πŸˆπŸˆβ€β¬› 1y ago

The link to the image leads to my server which reads the IP and user-agent from the request headers. It then renders it into the image. Every user sees something different depending on which client they use.

Avatar
Czino // πŸ‘«πŸŒ±πŸ‘πŸˆπŸˆβ€β¬› 1y ago

My findings so far

Damus: leaks IP, (cant swipe to see what user agent says πŸ™ˆ)

Amethyst: protects IP, leaks user agent (Amethyst/version_number)

Primal: protects IP and user agent (images appear to be proxied)

Gossip: leaks IP, no user agent

Avatar
daniele 1y ago

Gossip has an option to avoid loading media remotely, for this exact reason.

Avatar
⚑tephen 1y ago

I was so confused at first. I was like wait that IP seems familiar. This is quite the use case though!